Phishers and phone fraudsters are capitalizing on public concern over a massive data breach announced this week at health insurance provider Anthem in a bid to steal financial and personal data from consumers.
The flood of phishing scams was unleashed just hours after Anthem announced publicly that a “very sophisticated cyberattack” on its systems had compromised the Social Security information and other personal details on some 80 million Americans.
In a question on its FAQ page about whether it would be offering credit monitoring to affected customers, “Anthem said All impacted members will receive notice via mail which will advise them of the protections being offered to them as well as any next steps.” Unsurprisingly, phishers took that as an invitation to blast out variations on the scam pictured below, which spoofs Anthem and offers recipients a free year’s worth of credit monitoring services for those who click the embedded link.
Don’t click or respond to these phishing emails.
According to Anthem, fraudsters also are busy perpetrating similar scams by cold-calling people via telephone. In a recording posted to its toll-free hotline for this breach (877-263-7995), Anthem said it is aware of outbound call scams targeting current and former Anthem members.
“These emails and calls are not from anthem and no notifications have been sent from anthem since the initial notification on Feb. 4, 2015,” Anthem said in a voice recording on the hotline.
It is likely that these phishing and phone scams are random and opportunistic, but there is always the possibility that the data stolen from Anthem has fallen into the hands of scam artists. According to Anthem, the information stolen includes the consumer’s name, date of birth, member ID, street address, email address, phone number and employment information. However, experts believe that the attack on Anthem was perpetrated by state-sponsored hackers from China seeking information on specific individuals for espionage purposes, although that conclusion has not been independently confirmed.
The company says it will begin sending notifications to affected consumers via snail mail in the coming weeks. In the meantime, if you’re a current or former Anthem member, be aware that these types of scams are likely to escalate in the coming days and weeks.
Tags: 877-263-7995, anthem data breach, anthem phishing attacks
Jeez! It’s like throwing a pebble in a pond. Ever-growing rings of cyber-crime!
Brian – it would be nice if they defined “former” customers…former as in any customer since the beginning of time? Or only those with active plans within the last five years? Do they ever purge old records?
How am I to receive a letter if I have moved many times since I had anthem, etc.
Frustrating!
As I commented in the first post, about five years Anthem kept applicant data on a non-secure server. If someone became a customer, that data was copied to the regular, secure server and the old data was deleted. But if someone never became a customer, that data remained. And, of course, that server was breached. It was a HIPAA violation, but people who suffered identity theft only received a one year subscription to a credit monitoring service. I think you and all other former customers are in the same boat, sorry to say.
It feels like all of this is now just a part of life. It’s not a case of ‘if’ you will be affected, but a case of ‘when’.
As one other witty person noted – it was just the right time for another major breach. My one year identity theft protection from Target was about to run out!
Seriously – Anthem didn’t encrypt the patient confidential information internally. Only because someone noticed data requests being made in their name was the hack discovered. No technology made the detection. JP Morgan spent $250M/year on information security. What did Anthem spend and what did they get for it?
The cost to us as individuals, as companies, as a nation, as a world are high and diverting resources from pressing needs. We need a better way.
Jonathan @nc3mobi
Encryption is not a magic sauce. Encryption is great for data in static storage or being transmitted, less good for data being used because it has to be decrypted to be used. Steve Bellovin explains better than I could: http://arstechnica.com/security/2015/02/why-even-strong-crypto-wouldnt-protect-ssns-exposed-in-anthem-breach/
At least at this point, it seems that the breach was the result of compromising one or more DBA passwords. Anthem’s DBAs would have needed the ability to see data in plain text form.
As long as you’re using “When” to indicate the past because it’s probably already happened to anyone old enough to drive.
Keeping the SSN alive is all part of a plan to cause the citizenry to increasingly clamor for a secure replacement.
Once critical mass is reached, the government will release their already-written plan for a semi-secure, unique identifier that will become part of you at birth via an implant for your convenience.
https://en.wikipedia.org/wiki/Sheeple
Okay so this breach is a HIPAA violation.
so what does that say about compliance frameworks if you just are not investing resources to protect the information entrusted to these organizations.
Consequences must be expected and scaled to the violation such that its deterrent value assures true compliance.
Or we could just shrug our shoulders once more and hope that there will not be a next time…
80 million records is almost one quarter of the US population. Random calls and emails have a pretty good chance of reaching actual Anthem customers. A lot of others aren’t sure but they know they have Blue Cross Blue Shield insurance so they think they might have been impacted.
It seems like the list of US population not having their identity placed at risk might be shorter than those who have.
From experience working with these types of things I believe that encryption of the data would most likely have made little difference. Encryption only works well to protect data at rest or data in transit. Its doesn’t do a good job protecting you when you have data in is use. If data is to be used it needs to be viewed. If compromised account has business need to use the data, it would have been able to use the keys to access and view the data.
Sure the SSN could have been encrypted field but would that have kept information secure in an environment where numerous individuals and systems have the keys to decrypt it…..very unlikely. The problem is that the fields with the scariest data in it, are the ones the insurance industry often uses the most. Would be different if they rarely used these fields that only a few people needed to index on or access.
Encryption doesn’t fix everything. Its just another door that requires someone to have a key. If done right is a very strong door. Doesn’t work if everyone needs the key there fore everyone has a key or if there are weak protections on the key. Encryption of data in a database is really just another type of access control when it comes to securing data in use.
Real question will be how they implemented their access controls, data structures, and server logging and alerting, Then learning what can been done keep this from happening again and how those lessons can be leveraged across the industry. One of the largest outcomes may be a shift in what data the industry uses to index and identify unique individuals. As its easy to see how their business models are putting a huge burden on their InfoSec teams.
The last time I made the suggestion below, I was slammed by the Very Knowledgeable experts who read Brian’s articles. I was ignorant, didn’t understand how programming projects worked, how impossible it would be for foreign offices not to have direct access to important data, etc, etc.
Sensitive data, whether important software code or personal customer info, does not belong on a server accessible by the Internet. I don’t care how f*king inconvenient that makes it for programmers or service reps or anyone else. Access to that information should only be allowed offline. Should someone in your office in Timbuktu need something on a server in NYC, s/he should requisition it, the info be offloaded and transmitted securely with the understanding that Timbuktu will immediately convey the data to an offline device and then remove it from their online server.
Richard P. Feynman said, “It doesn’t matter how beautiful your theory is, it doesn’t matter how smart you are. If it doesn’t agree with experiment, it’s wrong.” So I submit this question. Is Anthem’s breach (BTW, 80 million is over one third of the entire US adult population), sufficiently contrary to the accepted laissez faire protocol of leaving data online to prove the protocol wrong?
In a word: yes. You’re right (IMO).
I know of one company (international in scope) which follows this policy—not naming names because someone would take it as a challenge and try for at least a DDoS attack. But all of their sensitive information is totally disconnected from the internet. Websites are served from physically separate servers with NOTHING on them but the website data. Also, customers can’t access sensitive data over the internet—they have to actually go in to a branch office or talk to an employee.
“Inconvenient”? Maybe. (I don’t think so.) But they’ve never been hacked and they never will…there’s nothing there to hack on their internet-facing computers.
If I had sensitive data personally, I would follow the same policy and have two separate computers, one of which would be permanently disconnected from the internet. But I figure there’s no point in me doing that when so many companies have all my sensitive data anyway and store it so insecurely. To quote a sci-fi novel: “Do you worry about the seventh lock on the back door when the front door is open?”
The continuing use of Social Security numbers as any kind of unique identifier defies reason. I don’t follow every data breach that occurs, but the size of this one, along with the inclusion of the number that every U.S. citizen is instructed to guard with their life, the number that ties together our financial security with a bow, is, I believe, unprecedented. This was bound to happen. I’m only surprised that it took so long.
As former Anthem customers, my wife and I have been given a wake up call to lock down our credit with the three major agencies. Given the amount of time that actually took, it would seem a lot of other people got the same call. What more we can do? In our modern age, the financial damage that can result from someone in possession of a linked name, DOB and SS#, is akin to a form of slavery. Our financial freedom, that has taken years to nourish and grow, can be wiped out in an instant.
Unfortunately, unless one wants to stuff money in their proverbial mattress and likely live a life filled with paranoia, or can exist solely on the barter system, some kind of unique identifier is absolutely necessary. It is well beyond time to scrap the Social Security number as this unique identifier.
I began this comment to make a snarky remark about the security of Bitcoin, or lack thereof (insert link to the latest Bitcoin plundering here). Unfortunately, the need for keeping our financial data and our money secure is here to stay, at least for the time being. Any humorous remarks are overshadowed with trepidation. Ask anyone who has been the victim of identity theft and hear their tales of the countless hours, days and months it took them to regain some semblance of their identity.
That we allow this to continually happen, and to a worse and worser degree, is troubling. That the U.S. banking industry took a decade longer than Europe to adopt the more secure chip and pin system is embarrassing, but the risk was all theirs to take. Will our do-nothing congress take a leadership role in moving the U.S. in the right direction? I’m not holding my breath.
I am just curious…. Why would an insurance need or keep income information and Cc info?
Thank you for the update .